Brazilian Data Protection Authority Supervisory and Sanctioning Proceeding Receives Regulation by the Authority

On October 28, the National Data Protection Authority (“ANPD”, its acronym in Portuguese) approved a resolution regulating the Supervisory Proceeding, as well as the Sanctioning Administrative Proceeding within the scope of the Authority.

The regulatory framework is quite relevant, and mainly, signals to market agents that the ANPD is functioning and organizing itself institutionally to exercise its inspection activities, which include: (i) monitoring; (ii) orientation; (iii) prevention, and (iv) repression.

Despite this, no guidelines have been established yet, regarding the dosimetry of sanctions and the calculation of the base value for the application of penalties. This point should be clarified later on in a specific rule published by the ANPD, subject to prior public consultation. In addition, the new regulations safeguard the ANPD’s Board of Directors’ power to issue an Ordinance to establish the necessary complementary instructions.

Thus, in general, the new resolution seeks to address the duties of the regulated agents, as well as to determine procedural provisions relating to subpoenas, deadlines, communication, and the awareness of administrative acts from the authority.

Furthermore, the regulations provide for the ANPD’s inspection powers, which must comply with a series of premises provided for in the regulations, may be carried out (i) ex officio; (ii) as a result of periodic inspection programs; (iii) in a coordinated manner with public agencies and entities; or (iv) in cooperation with data protection authorities of other countries.

In relation to the ANPD’s acting areas in exercising this authority, it states that:

  • The activity of monitoring should gather relevant information and data to support decision making by the ANPD, in order to ensure regular functioning of the regulated environment. The agency’s General Inspection Coordination, whose competencies are defined in the ANPD’s Internal Regulations, will conduct the monitoring of treatment activities, based on a compliance assessment, to plan and subsidize the authority’s inspection activities. The monitoring also involves the production of an annual report, as well as a biannual map of priority issues to consolidate information on activities and guide the authority’s future actions.
  • Guidance is focused on cost-effectiveness and the use of methods and tools to promote guidance, awareness, and education for data processors and subjects. Guidance measures include good practice guides, recommendations of technical standards, and document templates to be used by the processing agents, among other products.
  • Prevention preferably consists of action based on the joint construction and dialogue of solutions and measures that aim to bring the processing agent back into full compliance or to avoid or remedy situations that may lead the personal data holders and other processing agents into situations of risk or damage. Note that the measures applied in the preventive context do not constitute a sanction to the regulated agent and may include the disclosure of information, warnings, the request for regularization or additional information, or even a compliance plan, which in the case of non-compliance, will lead to repressive action by the authority.
  • Repressive activity is characterized by the coercive action of the ANPD, aimed at the interruption of situations of damage or risk, the return to full compliance, and the punishment of those responsible, by applying the sanctions provided for in Article 52 of the LGPD through the administrative sanctioning process. In conducting the proceedings, the ANPD shall comply with the principles of legality, purpose, motivation, reasonability proportionality, morality, full defense, adversary system, legal certainty, public interest, and efficiency, among others.

Regarding the administrative proceeding within the scope of the ANPD, the resolution establishes that the proceeding may be initiated ex officio, at the request of the Inspection Coordination, or as a result of a monitoring process. Additionally, the General Inspection Coordination may, through ex officio or upon request, make preliminary inquiries by means of a preparatory procedure, when the evidence of an infraction is not sufficient for the immediate opening of a sanctioning administrative proceeding. Once the instruction phase of the preparatory procedure is concluded, the General Inspection Coordination may close the procedure or initiate a sanctioning administrative procedure, without damage to the adoption of guidance and prevention measures, depending on the case.

After the infraction notice has been issued, the accused party may present its defense, add any evidence it deems necessary, or present closing arguments. After analyzing the records, the General Inspection Coordination will issue a final decision, which may be appealed to the ANPD Board of Directors.

In order to ensure the aforementioned action of the ANPD, the processing agents have the duty to provide information and documents, allow the authority access to facilities and equipment, be submitted to audits conducted or determined by the ANPD, and keep physical and digital documents during the periods determined legally or administratively. Furthermore, Law No. 9.874, which regulates the Administrative Proceeding, has subsidiary application.

Finally, it should be noted that the General Inspection Coordination Office may also receive Conduct Adjustment Declaration (“TAC”) requests, which have the effect of suspending any administrative proceedings in progress until the term is fully complied with, once the case has been dismissed.

The Resolution is already in effect and can be accessed here. The first monitoring period will begin in January 2002.